Mauritius
AI behavior law: bot and agent disclosure, crawler and training-data rules, automated-agent transactions, and algorithmic decision-making.
Summary
Mauritius presents moderate risk. The Data Protection Act 2017 (in force January 2018) is the most GDPR-aligned framework in this batch — legitimate interest is a valid lawful basis, the Data Protection Commission is operational, and cross-border transfer rules apply. The Computer Misuse and Cybercrime Act 2003 (amended 2017) criminalises unauthorized access to computer systems; "access" is broadly defined (instructing, communicating with, retrieving data from) but the Act includes an implied-consent carve-out, so publicly accessible pages are not clearly within scope. No specific scraping statute or case law exists. Public-page crawling of non-personal data is tolerable; personal data collection requires a lawful basis under the DPA 2017; no TDM exception exists; no sui generis database right applies.
Automated-access legality
Carried forward from the crawler-law index. Governs whether automated clients may access public websites in this jurisdiction.
| Dimension | Value |
|---|---|
| Authorization test | without permission |
| Public-page carve-out | unsettled |
| Terms-of-service browsewrap enforceable | notice dependent |
| Terms-of-service clickwrap enforceable | yes |
| Copyright exception model | fair dealing narrow |
| Text and data mining — commercial status | prohibited |
| Text and data mining — opt-out mechanism | none |
| robots.txt legal weight | non binding notice |
| AI training-specific law | none |
| Privacy regime | Data Protection Act 2017 (GDPR-aligned) |
| Trespass to chattels | not recognized |
Last reviewed: 2026-05-23. Confidence: medium. Not legal advice.